NCSC CAF to ISA/IEC 62443 Mappings
The NCSC's Cyber Assessment Framework (CAF) was developed to help critical national infrastructure (CNI) and government organisationsto effectively manage cyber security risk. The table below details Ofgem mappings to ISA/IEC 62443 clauses and controls. The ISA/IEC 62443 set of standards outline best practices for organisations to secure industrial automation and control systems (IACS) against cyber threats.IEC 62443-2-1 covers how to establish an effective cyber security management system (CSMS). IEC 62443-3-3 outlines specific security requirements and security levels.To see more detailed information and additional mappings, click through to individual outcomes.
| CAF ID | CAF Outcome | 62443-2-1 | 62443-3-3 |
|---|---|---|---|
| A1.a | Board Direction |
4.3.2.3.1: Obtain senior management support 4.3.2.3.2: Establish the security organisation 4.3.2.3.4: Define the stakeholder team management 4.3.2.6.8: Demonstrate senior leadership support for cyber security |
|
| A1.b | Roles and Responsibilities |
4.3.2.3.2: Establish the security organisation 4.3.2.3.3: Define the organisational responsibilities 4.3.2.5.4: Form a continuity team 4.3.2.5.5: Define and communicate specific roles and responsibilities 4.3.3.2.5: Document and communicate security expectations and responsibilities 4.3.3.5.3: Authorize account access |
|
| A1.c | Decision-making | ||
| A2.a | Risk Management Process |
4.2.3.10: Identify the reassessment frequency and triggering criteria 4.2.3.11: Integrate physical, HSE and cyber security risk assessments 4.2.3.12: Conduct risk assessments throughout the lifecycle of the IACs 4.2.3.13: Document the Risk Assessment 4.2.3.14: Maintain vulnerability assessment records 4.2.3.1: Select a risk assessment methodology 4.2.3.2: Provide risk assessment background information 4.2.3.3: Conduct a high-level risk assessment 4.2.3.8: Identify a detailed risk assessment methodology 4.2.3.9: Conduct a detailed risk assessment 4.3.2.2.1: Define the scope of the CSMS 4.3.2.2.2: Define the scope content 4.3.2.6.5: Determine the organisations tolerance for risk 4.3.4.2.1: Manage IACS risk on an ongoing basis 4.3.4.2.2: Employ a common set of countermeasures 4.3.4.3.3: Assess all the risks of changing the IACS 4.4.3.5: Review risk tolerance 4.4.3.6: Monitor and evaluate industry CSMS strategies |
|
| A2.b | Assurance |
4.3.4.4.7: Audit the information and document management process 4.4.2.1: Specify the methodology of the audit process 4.4.2.2: Conduct periodic IACS audits 4.4.2.3: Establish conformance metrics |
|
| A3.a | Asset Management |
4.2.3.4: Identify the industrial automation and control systems 4.2.3.6: Prioritise Systems 4.3.2.5.2: Determine the impacts and consequences to each system 4.3.3.3.7: Maintain equipment assets 4.3.3.3.9: Establish procedures for the addition, removal, and disposal of assets 4.3.4.4.3: Classify all CSMS information assets |
SR 7.8: Control system component inventory |
| A4.a | Supply Chain | ||
| B1.a | Policy and Process Development |
4.3.2.6.1: Develop security policies 4.3.2.6.2: Develop security procedures 4.3.2.6.3: Maintain consistency between risk management systems 4.3.2.6.7: Review and update the cyber security policies and procedures 4.3.3.2.1: Personnel security 4.3.3.2.4: Address security responsibilities 4.3.3.5.1: Access accounts implement authorization security policy 4.3.3.6.1: Develop an authentication strategy 4.3.3.6.6: Develop a policy for remote login and connections 4.3.3.6.7: Disable access account after failed remote login attempts 4.3.3.6.8: Require re-authentication after remote system inactivity 4.3.3.7.1: Define an authorization security policy 4.3.4.3.4: Require security policies for system development or maintenance changes 4.3.4.3.5: Integrate cyber security and process safety management (PSM) change management procedures 4.3.4.3.6: Review and maintain policies and procedures 4.3.4.4.1: Develop lifecycle management processes for IACS information 4.3.4.4.2: Define information classification levels 4.3.4.4.4: Ensure appropriate records control 4.4.3.2: Evaluate the CSMS periodically 4.4.3.3: Establish triggers to evaluate CSMS 4.4.3.8: Request and report employee feedback on security suggestions |
|
| B1.b | Policy and Process Implementation |
4.3.2.6.4: Define cyber security policies and procedure compliance requirements 4.3.2.6.6: Communicate the policies and procedures to the organisation 4.3.3.2.5: Document and communicate security expectations and responsibilities 4.3.3.3.1: Establish complimentary physical and cyber security policies 4.3.3.3.5: Require employees to follow security procedures 4.4.3.4: Identify and implement corrective and preventive actions |
SR 1.12: System use notification |
| B2.a | Identity Verification, Authentication and Authorisation |
4.3.3.5.2: Identify individuals 4.3.3.5.5: Suspend or remove unneeded accounts 4.3.3.5.6: Review account permissions 4.3.3.5.8: Audit account administration 4.3.3.6.2: Authenticate all users before system use 4.3.3.6.3: Require strong authentication methods for system administration and application configuration 4.3.3.6.5: Authenticate all remote users at the appropriate level 4.3.3.6.9: Employ authentication for task-to task communication 4.3.3.7.2: Establish appropriate logical and physical permission methods to access IACS devices 4.3.3.7.4: Employ multiple authorization methods for critical IACS |
SR 1.13: Access via untrusted networks SR 1.1: Human User Identification and Authentication SR 1.2: Software process and device identification and authentication SR 1.4: Identifier management SR 1.5: Authenticator management SR 1.6: Wireless access management SR 2.1: Authorization enforcement SR 2.2: Wireless use control SR 2.3: Use control for portable and mobile devices SR 2.5: Session lock SR 3.8: Session integrity |
| B2.b | Device Management |
SR 1.6: Wireless access management SR 5.3: General purpose person-to-person communication restrictions |
|
| B2.c | Privileged User Management |
4.3.3.3.2: Establish physical security perimeters 4.3.3.3.3: Provide entry controls 4.3.3.5.2: Identify individuals 4.3.3.5.4: Record access accounts 4.3.3.5.5: Suspend or remove unneeded accounts 4.3.3.5.6: Review account permissions 4.3.3.5.8: Audit account administration 4.3.3.7.2: Establish appropriate logical and physical permission methods to access IACS devices 4.3.3.7.4: Employ multiple authorization methods for critical IACS |
SR 1.1: Human User Identification and Authentication SR 1.2: Software process and device identification and authentication SR 1.4: Identifier management SR 1.5: Authenticator management SR 2.6: Remote session termination SR 5.3: General purpose person-to-person communication restrictions |
| B2.d | Identity and Access Management (IdAM) |
SR 1.1: Human User Identification and Authentication SR 1.2: Software process and device identification and authentication SR 1.3: Account management SR 1.4: Identifier management SR 1.5: Authenticator management SR 2.1: Authorization enforcement SR 2.8: Auditable events SR 3.8: Session integrity |
|
| B3.a | Understanding Data | 4.3.4.4.6: Maintain information classifications | |
| B3.b | Data in Transit | 4.3.3.3.6: Protect connections |
SR 1.5: Authenticator management SR 1.9: Strength of public key authentication SR 3.1: Communication integrity SR 4.1: Information confidentiality SR 4.3: Use of cryptography |
| B3.c | Stored Data |
4.3.3.3.2: Establish physical security perimeters 4.3.3.3.3: Provide entry controls 4.3.3.3.4: Protect assets against environmental damage |
SR 1.5: Authenticator management SR 1.8: Public key infrastructure (PKI) certificates SR 1.9: Strength of public key authentication SR 3.4: Software and information integrity SR 4.1: Information confidentiality SR 4.3: Use of cryptography SR 7.3: Control system backup |
| B3.d | Mobile Data | ||
| B3.e | Media Equipment Sanitisation |
4.3.3.3.9: Establish procedures for the addition, removal, and disposal of assets 4.3.4.4.4: Ensure appropriate records control |
SR 4.2: Information persistence |
| B4.a | Secure by Design |
4.2.3.5: Develop Simple Network Diagrams 4.3.3.4.1: Develop the network segmentation architecture 4.3.3.4.2: Employ isolation or segmentation on high-risk IACS 4.3.3.4.3: Block non-essential communications with barrier devices |
SR 1.10: Authenticator feedback SR 3.2: Malicious code protection SR 5.1: Network segmentation SR 5.2: Zone boundary protection SR 5.4: Application partitioning |
| B4.b | Secure Configuration |
4.2.3.4: Identify the industrial automation and control systems 4.3.3.5.7: Change default passwords 4.3.3.6.7: Disable access account after failed remote login attempts 4.3.3.6.8: Require re-authentication after remote system inactivity 4.3.4.3.1: Define and test security functions and capabilities 4.3.4.3.5: Integrate cyber security and process safety management (PSM) change management procedures 4.3.4.3.7: Establish and document a patch management procedure |
SR 1.10: Authenticator feedback SR 1.11: Unsuccessful login attempts SR 1.5: Authenticator management SR 1.7: Strength of password-based authentication SR 2.2: Wireless use control SR 2.3: Use control for portable and mobile devices SR 2.4: Mobile code SR 2.5: Session lock SR 2.7: Concurrent session control SR 3.4: Software and information integrity SR 3.5: Input validation SR 5.3: General purpose person-to-person communication restrictions SR 7.6: Network and security configuration settings SR 7.7: Least functionality SR 7.8: Control system component inventory |
| B4.c | Secure Management | 4.3.4.3.8: Establish and document antivirus/malware management procedure |
SR 1.5: Authenticator management SR 2.4: Mobile code SR 3.2: Malicious code protection |
| B4.d | Vulnerability Management |
4.2.3.7: Perform a detailed vulnerability assessment 4.2.3.8: Identify a detailed risk assessment methodology |
SR 3.3: Security functionality verification SR 7.1: Denial of service protection |
| B5.a | Resilience Preparation |
4.3.2.5.3: Develop and implement business continuity plans 4.3.2.5.6: Create the backup procedures that support business continuity plan 4.3.2.5.7: Test and update the business continuity plan 4.3.3.3.10: Establish procedures for the interim protection of critical assets |
|
| B5.b | Design for Resilience |
4.3.2.5.1: Specify recovery objectives 4.3.3.3.6: Protect connections 4.3.3.4.1: Develop the network segmentation architecture 4.3.3.4.2: Employ isolation or segmentation on high-risk IACS 4.3.3.4.3: Block non-essential communications with barrier devices |
|
| B5.c | Backups |
4.3.2.5.6: Create the backup procedures that support business continuity plan 4.3.4.3.9: Establish backup and restoration procedure |
SR 7.3: Control system backup |
| B6.a | Cyber Security Culture |
4.3.3.2.5: Document and communicate security expectations and responsibilities 4.3.4.5.3: Establish a reporting procedure for unusual activities and events 4.3.4.5.4: Educate employees on reporting cyber security incidents 4.3.4.5.5: Report cyber security incidents in a timely manner |
|
| B6.b | Cyber Security Training |
4.2.3.2: Provide risk assessment background information 4.3.2.4.1: Develop a training program 4.3.2.4.2: Provide procedure and facility training 4.3.2.4.3: Provide training for support personnel 4.3.2.4.4: Validate the training program 4.3.2.4.5: Revise the training program over time 4.3.2.4.6: Maintain employee training record |
|
| C1.a | Monitoring Coverage |
4.3.3.3.8: Establish procedures for monitoring and alarming 4.3.3.6.4: Log and review all access attempts to critical systems |
SR 2.8: Auditable events SR 6.2: Continuous monitoring |
| C1.b | Securing Logs |
SR 2.11: Timestamps SR 3.3: Security functionality verification SR 3.9: Protection of audit information SR 6.1: Audit log accessibility |
|
| C1.c | Generating Alerts |
4.3.3.3.8: Establish procedures for monitoring and alarming 4.3.4.3.8: Establish and document antivirus/malware management procedure 4.3.4.5.7: Identify failed and successful cyber security breaches |
SR 2.10: Response to audit processing failures |
| C1.d | Identifying Security Incidents | 4.3.4.3.8: Establish and document antivirus/malware management procedure | |
| C1.e | Monitoring Tools and Skills | ||
| C2.a | System Abnormalities for Attack Detection | ||
| C2.b | Proactive Attack Discovery | 4.3.4.3.8: Establish and document antivirus/malware management procedure | |
| D1.a | Response Plan |
4.3.4.5.1: Implement an incident response plan 4.3.4.5.2: Communicate the incident response plan 4.3.4.5.6: Identify and respond to incidents |
|
| D1.b | Response and Recovery Capability | 4.3.4.3.9: Establish backup and restoration procedure |
SR 7.1: Denial of service protection SR 7.2: Resource management SR 7.5: Emergency power |
| D1.c | Testing and Exercising | 4.3.4.5.11: Conduct drills | |
| D2.a | Incident Root Cause Analysis | 4.3.4.5.8: Document the details of incidents | |
| D2.b | Using Incidents to Drive Improvements |
4.3.4.5.10: Address and correct issues discovered 4.3.4.5.8: Document the details of incidents |